Full Disclosure: NIS Security Hole / Full Access by NIS Client Root

By Angsuman Chakraborty, Gaea News Network
Tuesday, May 15, 2007

Several years ago I noticed a big issue with NIS security at Sun, which I promptly reported hoping for a patch. Today I found out it is still there. Hopefully a full disclosure will help solve it. In typical NFS-NIS setup, users on NIS client machines login to their NIS accounts (like Windows users login to their domain server). Normally root access in local machines are provided to users to make it easy to install software. In NIS, by default, root squash feature is implemented which prevents local root account from accessing NIS mounted directories. So far so good. However, unknown to most, a bug in NIS implementation allows local root accounts to access all information in any NIS users accounts.

So if you only have access to your local machine (as root) then you will be able to view all the NIS mounted home directories of all NIS users, even if they never logged in to your machine. This effectively makes all account data like emails, programs etc. visible, even that of your boss, to almost everyone else. In short an ideal recipe for insider attack.

The way to accomplish is deceptively simple.
But first assure yourself that as a root you cannot indeed access any NIS account’s home directories. Suppose there is a NIS user whose login is angsuman. Now as a root try to access ~angsuman. You will be denied access.

All you have to do is su angsuman instead. You will now be logged in as NIS user angsuman. Now you can access all the data belonging to user angsuman. Just cd ~angsuman and have fun. It is that simple!

How to protect your company as a system administrator?
Either you have to move away from NIS based authentication or you will have to restrict access to local root account. This has the downside of requiring more system administration work and potentially creating more bottlenecks.